35 pages of spelling done
parent
00c593e0a2
commit
0910c482a9
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a vulnerability found in ZPanel's htpasswd module. When
|
||||
creating .htaccess using the htpasswd module, the username field can be used to
|
||||
inject system commands, which is passed on to a system() function for executing
|
||||
the system's htpasswd's command.
|
||||
the system's htpasswd command.
|
||||
|
||||
Please note: In order to use this module, you must have a valid account to login
|
||||
to ZPanel. An account part of any of the default groups should suffice, such as:
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'CA BrightStor ArcServe Media Service Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA
|
||||
BrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker
|
||||
BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker
|
||||
can overflow a stack buffer and execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'toto' ],
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in the ActiveX component of Adobe
|
||||
Flash Player before 11.5.502.149. By supplying a specially crafted swf file
|
||||
with special regex value, it is possible to trigger an memory corruption, which
|
||||
with special regex value, it is possible to trigger a memory corruption, which
|
||||
results in remote code execution under the context of the user, as exploited in
|
||||
the wild in February 2013. This module has been tested successfully with Adobe
|
||||
Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before
|
||||
|
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory',
|
||||
'Description' => %q{
|
||||
This module exploits an unintialized memory vulnerability in Adobe Flash Player. The
|
||||
This module exploits an uninitialized memory vulnerability in Adobe Flash Player. The
|
||||
vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails
|
||||
to initialize allocated memory. When using a correct memory layout this vulnerability
|
||||
leads to a ByteArray object corruption, which can be abused to access and corrupt memory.
|
||||
|
|
|
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
NOTE: This module uses a similar DEP bypass method to that used within the
|
||||
adobe_libtiff module. This method is unlikely to work across various
|
||||
Windows versions due a the hardcoded syscall number.
|
||||
Windows versions due a hardcoded syscall number.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a flaw in the handling of AOL Instant
|
||||
Messenger's 'goaway' URI handler. An attacker can execute
|
||||
arbitrary code by supplying a overly sized buffer as the
|
||||
arbitrary code by supplying an overly sized buffer as the
|
||||
'message' parameter. This issue is known to affect AOL Instant
|
||||
Messenger 5.5.
|
||||
},
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.
|
||||
An attacker may be able to excute arbitrary code by sending an overly
|
||||
An attacker may be able to execute arbitrary code by sending an overly
|
||||
long string to the "ShortFormat()" method in askbar.dll.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX
|
||||
control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing
|
||||
control. Versions of mps.dll including 3.9.4.27 and lower are affected. When passing
|
||||
an overly long string to the method "OnBeforeVideoDownload" an attacker can execute
|
||||
arbitrary code.
|
||||
},
|
||||
|
|
|
@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module allows remote attackers to place arbitrary files on a users file system
|
||||
by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX
|
||||
Control (BIImgFrm.ocx 12.0.0.0). Code exeuction can be acheived by first uploading the
|
||||
Control (BIImgFrm.ocx 12.0.0.0). Code execution can be achieved by first uploading the
|
||||
payload to the remote machine, and then upload another mof file, which enables Windows
|
||||
Management Instrumentation service to execute the binary. Please note that this module
|
||||
currently only works for Windows before Vista. Also, a similar issue is reported in
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll
|
||||
ActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly
|
||||
ActiveX Control provided by CommuniCrypt Mail 1.16. By sending an overly
|
||||
long string to the "AddAttachments()" method, an attacker may be able to
|
||||
execute arbitrary code.
|
||||
},
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl
|
||||
ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long
|
||||
ActiveX Control (NPSnpy.dll 1.1.0.36. When sending an overly long
|
||||
string to the CheckRequirements() method, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
|
|
|
@ -13,11 +13,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "Honeywell Tema Remote Installer ActiveX Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This modules exploits a vulnerability found in the Honewell Tema ActiveX Remote
|
||||
This module exploits a vulnerability found in the Honewell Tema ActiveX Remote
|
||||
Installer. This ActiveX control can be abused by using the DownloadFromURL()
|
||||
function to install an arbitrary MSI from a remote location without checking source
|
||||
authenticity or user notification. This module has been tested successfully with
|
||||
the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and
|
||||
the Remote Installer ActiveX installed with Honeywell EBI R410.1 - TEMA 5.3.0 and
|
||||
Internet Explorer 6, 7 and 8 on Windows XP SP3.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -30,8 +30,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
The vulnerability is found in the "RunAndUploadFile" method
|
||||
where the "OtherFields" parameter with user controlled data
|
||||
is used to build a "Content-Dispoition" header and attach
|
||||
contents in a insecure way which allows to overflow a buffer
|
||||
is used to build a "Content-Disposition" header and attach
|
||||
contents in an insecure way which allows to overflow a buffer
|
||||
in the stack.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control',
|
||||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow in the Active control file
|
||||
ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles()
|
||||
ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()
|
||||
method. Exploitation results in code execution with the privileges of the user who
|
||||
browsed to the exploit page.
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00
|
||||
SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long
|
||||
string argument for the InternationalSeparator() method of the ISSymbol control.
|
||||
This modules uses the msvcr71.dll form the Java JRE6 to bypass ASLR.
|
||||
This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',
|
||||
'Description' => %q{
|
||||
This module exploits an uninitialized variable vulnerability in the
|
||||
Annotation Objects ActiveX component. The activeX component loads into memory without
|
||||
Annotation Objects ActiveX component. The ActiveX component loads into memory without
|
||||
opting into ALSR so this module exploits the vulnerability against windows Vista and
|
||||
Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
|
||||
points to part of the ROP chain in a heap chunk and the calculated call will hit the
|
||||
|
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Sun Java Web Start Double Quote Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a flaw in the Web Start component of the Sun Java
|
||||
Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP
|
||||
Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP
|
||||
file can contain a double quote which is not properly sanitized when creating
|
||||
the command line for javaw.exe. This allows the injection of the -XXaltjvm
|
||||
option to load a jvm.dll from a remote UNC path into the java process. Thus
|
||||
|
|
|
@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
allows an attacker to execute arbitrary code in the context of an unsuspecting
|
||||
browser user.
|
||||
|
||||
In order for this module to work, it must be ran as root on a server that
|
||||
In order for this module to work, it must be run as root on a server that
|
||||
does not serve SMB. Additionally, the target host must have the WebClient
|
||||
service (WebDAV Mini-Redirector) enabled.
|
||||
},
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX
|
||||
Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.
|
||||
By sending a overly long string to the "Install()" method, an attacker may be
|
||||
By sending an overly long string to the "Install()" method, an attacker may be
|
||||
able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Logitech VideoCall ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX
|
||||
Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the
|
||||
Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the
|
||||
"Start()" method, an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Macrovision InstallShield Update Service ActiveX Unsafe Method',
|
||||
'Description' => %q{
|
||||
This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.
|
||||
This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'MC' ],
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",
|
||||
'Description' => %q{
|
||||
This modules exploits a vulnerability found in McAfee Virtual Technician's
|
||||
This module exploits a vulnerability found in McAfee Virtual Technician's
|
||||
MVTControl. This ActiveX control can be abused by using the GetObject() function
|
||||
to load additional unsafe classes such as WScript.Shell, therefore allowing remote
|
||||
code execution under the context of the user.
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'McAfee Visual Trace ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX
|
||||
Control (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the
|
||||
Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the
|
||||
"TraceTarget()" method, an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found on Firefox 17.0.6, specifically an use
|
||||
after free of a DocumentViewerImpl object, triggered via an specially crafted web
|
||||
This module exploits a vulnerability found on Firefox 17.0.6, specifically a use
|
||||
after free of a DocumentViewerImpl object, triggered via a specially crafted web
|
||||
page using onreadystatechange events and the window.stop() API, as exploited in the
|
||||
wild on 2013 August to target Tor Browser users.
|
||||
},
|
||||
|
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an use after free vulnerability in Mozilla
|
||||
This module exploits a use after free vulnerability in Mozilla
|
||||
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
|
||||
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
|
||||
becomes a dangling pointer and can be reused when setting the OBJECTs
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Mozilla Firefox 3.6. When an
|
||||
array object is configured with a large length value, the reduceRight() method
|
||||
may cause an invalid index being used, allowing abitrary remote code execution.
|
||||
may cause an invalid index being used, allowing arbitrary remote code execution.
|
||||
Please note that the exploit requires a longer amount of time (compare to a
|
||||
typical browser exploit) in order to gain control of the machine.
|
||||
},
|
||||
|
|
Loading…
Reference in New Issue